After nearly 20 years of security news this service is discontinued. Some reasons are the very high number of vulnerabilities combined with automatically updating systems. So the necessity of this service is depreciated. We hope that you understand this decision. Please visit us also at http://www.tufin.club!

Most of the links lead to the corresponding files at CERT or
other organisations. So changes take place immediately,
especially which patches should be installed or which changes
in the configuration should be made to avoid this vulnerability.
Some of the files are transferred by FTP.

By the way: If we're not publishing well-known risks
inheritant in any widely used platform or program that
doesn't mean this particular platform or program is safe
to use!

Several vulnerabilities have been found in TYPO3 core. Exploiting them might allow Cross-Site Scripting (XSS) attacks, Information disclosure and other exploits. So it's recommended to update all affected systems.

A heap-based buffer overflow flaw was found in the way the CVS client handles responses from HTTP proxies. A malicious HTTP proxy could use this flaw to cause the CVS client to crash or, possibly, execute arbitrary code with the privileges of the user running the CVS client.
Updated packages are available now.

Several potential security vulnerabilities have been identified in Java Runtime Environment (JRE) and Java Developer Kit (JDK) running on HP-UX. These vulnerabilities could allow remote unauthorized access, disclosure of information, and other vulnerabilities. HP has provided Java version upgrades to resolve these vulnerabilities.

A potential security vulnerability has been identified with certain HP-UX WBEM components. The vulnerability could be exploited remotely in HP-UX 11.11 and HP-UX 11.23 to gain unauthorized access to diagnostic data. The vulnerability could be exploited locally in HP-UX 11.31 also to gain unauthorized access to diagnostic data. Patches are available now.

A potential security vulnerability has been identified with HP Performance Manager v9.00 running on HP-UX, Linux, Solaris, and Windows. The vulnerability could be exploited remotely to execute arbitrary code and to create a Denial-of-Service (DoS). HP has provided patches to resolve the vulnerability.

The show_config_errors.php scripts did not validate the presence of the configuration file, so an error message shows the full path of this file, leading to possible further attacks. Upgrade to phpMyAdmin 3.4.10.2 or newer is recommended.

Updates address critical vulnerabilities in Adobe Flash Player 11.1.102.63 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 11.1.111.7 and earlier versions for Android 3.x and 2.x. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system. So it's recommended to update as soon as possible.

Potential security vulnerabilities have been identified with HP OpenView
Network Node Manager running Apache Tomcat. The vulnerabilities could
be exploited remotely to create a Denial of Service (DoS).
Updated packages are available now.

A flaw was found in the way GnuTLS decrypted malformed TLS records. This
could cause a TLS/SSL client or server to crash when processing a
specially-crafted TLS record from a remote TLS/SSL connection peer.
A flaw was found in the way libtasn1 decoded DER data. An attacker could
create a carefully-crafted X.509 certificate that, when parsed by an
application that uses GnuTLS, could cause the application to crash.
A boundary error was found in the gnutls_session_get_data() function. A
malicious TLS/SSL server could use this flaw to crash a TLS/SSL client or,
possibly, execute arbitrary code as the client, if the client passed a
fixed-sized buffer to gnutls_session_get_data() before checking the real
size of the session data provided by the server.
Updated packages are available now.

A flaw was found in the way libtasn1 decoded DER data. An attacker could
create carefully-crafted DER encoded input that,
when parsed by an application that uses libtasn1, could cause the application to crash.
Updated packages are available now.

It has been discovered that spoofed "getstatus" UDP requests are being
sent by attackers to servers for use with games derived from the
Quake 3 engine such as openarena. These servers respond with a
packet flood to the victim whose IP address was impersonated by the
attackers, causing a denial of service.
Updated packages are available now.

A vulnerability was reported in Red Hat Enterprise Virtualization Manager.
A remote user can submit a REST API request with a specially crafted XML external entity that refers to file system resources
on the target user's system. When the entity is resolved by the target RESTEasy process,
the remote user can read files on the target system with the privileges of the application server process.
Updated packages are available now.

Quagga, a routing software suite, contains multiple vulnerabilities that result in a Denial-of-Service (DoS) condition. An upgrade to Quagga 0.99.20.1 either through the GIT master version or by applying a patch is recommended.

Multiple vulnerabilities has been found and corrected in openssl.
These vulnerabilities may lead to denial of service (DoS) attacks, or may allow context-dependent attackers to decrypt data via
a Million Message Attack (MMA).
Updated packages are available now.

It was discovered that GNUTLS does not properly handle truncated
GenericBlockCipher structures nested inside TLS records, leading to
crashes in applications using the GNUTLS library (DoS).
Updated packages are available now.

It was discovered that many callers of the asn1_get_length_der
function did not check the result against the overall buffer length
before processing it further. This could result in out-of-bounds
memory accesses and application crashes. Applications using GNUTLS
are exposed to this issue.
Updated packages are available now.

The file type identification tool, file, and its associated library,
libmagic, do not properly process malformed files in the Composite
Document File (CDF) format, leading to crashes.
Updated packages are available now.

libzip (version <= 0.10) uses an incorrect loop construct, which can result in a heap overflow on corrupted zip files.
This might allow access to sensitive information.
A directory traversal vulnerability in soup-uri.c in SoupServer in libsoup before 2.35.4 allows remote attackers to read arbitrary files via a encoded dot dot in a an URI.
The index_get_ids function in index.c in imapd in Cyrus IMAP Server before 2.4.11, when server-side threading is enabled, allows remote attackers to cause a Denial-of-Service (NULL pointer dereference and daemon crash) via a crafted References header in an e-mail message.
Updated packages are available now.

Two vulnerabilities have been found in RealPlayer. They can be exploited by remote attackers to execute arbitrary code on a vulnerable system. User interaction is required because a file or a stream needs to be opened and decoded, respectively. RealNetworks has issued updates to correct these vulnerabilities.

Raptor is a RDF parser and serializer library. It allows file inclusion through XML entities, resulting in information
disclosure. Affected is software that is linked against Raptor, e.g. OpenOffice.org.
For some systems an update is available now.

IBM Tivoli Endpoint Manager is vulnerable to cross-site scripting, caused by improper validation of user-supplied input.
A remote attacker could exploit this vulnerability using the ScheduleParam parameter in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. It's recommended that administrators upgrade to the latest version of Tivoli Endpoint Manager.

A number of security vulnerabilities have been identified in the management web interface of Citrix XenServer vSwitch Controller. These vulnerabilities affect all currently supported versions of vSwitch Controller prior to version 6.0.2.
These vulnerabilities have been addressed in a new version of the vSwitch Controller virtual appliance. Citrix recommends that customers using vSwitch Controller upgrade their virtual appliance to version 6.0.2.

A potential risk with CA ARCserve Backup for Windows has been found. A vulnerability exists that can allow a remote attacker to cause a Denial-of-Service (DoS) condition. CA Technologies has issued fixes to address the vulnerability.

Several vulnerabilities have been discovered in Icedove, an unbranded version of the Thunderbird mail/news client.
They might allow remote execution of arbitrary code as well as a Cross-Site Scripting (XSS) attack.
Updated packages are available now.

The LG-Nortel ELO GS24M switch web management interface authentication can be bypassed by accessing URL's for configuration web pages directly. Web pages exist that can download the current device configuration that also includes credentials in cleartext. So a remote unauthenticated attacker may be able to operate and configure the device with the permissions of an administrator.
This product is considered end-of-life by the vendor and is no longer supported. As a workaround appropriate firewall rules should be configured.

Several vulnerabilities have been found in IBM WebSphere Application Server.
Exploiting them might lead to remote unautorized access, Cross-Site Scripting (XSS) or Denial-of-Service (DoS). If an attacker has an existing account, modification of arbitrary files is possible.
Please refer to the advisory regarding the availability of fixes.

Potential security vulnerabilities have been identified with HP Insight Control Software for Linux (IC-Linux). The vulnerabilities could be exploited remotely to execute arbitrary code or to create a Denial-of-Service (DoS).
HP has provided HP Insight Control Software for Linux (IC-Linux) v7.0 to resolve the vulnerabilities.

Several vulnerabilities have been found in DB2 products. Exploiting them might lead to remote Denial-of-Service (DoS) or increased privileges. Users with an existing account might access privileged data, too.
Fixes for these vulnerabilities are available for most affected and supported systems.

Two vulnerabilities have been found in the VLC media player. Using a crafted file, an attacker is able to crash the VLC media player. Arbitrary code execution could be possible on some systems. VLC media player 2.0.1 addresses this issue.

A heap-based buffer overflow flaw was found in the way libpng processes compressed chunks in PNG image files.
An attacker could create a specially-crafted PNG image file that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
For some systems updates are available.

JBoss Operations Network (JBoss ON) is a middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services.
An update for JBoss Operations Network 2.4.2 that fixes one security issue, as well as an update for JBoss Operations Network 3.0.1, which fixes multiple security vulnerabilities, is available now.

A memory disclosure vulnerability has been found in nginx. In previous versions of this web server, an attacker can receive the content of previously freed memory if an upstream server returned a specially crafted HTTP response, potentially exposing sensitive information.
Several vulnerabilities have been identified in Gnash, the GNU Flash player. HTTP cookies are managed in an unsafe manner. They have predictable names, so attackers can overwrite arbitrary files the user of the browser has write access to. Besides this, using specially crafted SWF files may lead to a heap based buffer overflow when such a file is opened. Additionally, temporary files in /tmp are handled in an insecure manner, allowing write access.
The Apache FCGID module, a FastCGI implementation, doesn't properly enforce the FcgidMaxProcessesPerClass resource limit, rendering this control ineffective and potentially allowing a virtual host to consume excessive resources.
Updated packages are available now.

Cross scripting and preconfigured password vulnerabilities have been reported to exist in the Quantum Scalar i500, Dell ML6000 and IBM TS3310 tape libraries. The preconfigured passwords for certain accounts are considered to be weak and could be exploited allowing an attacker user access. An attacker with access to a local user account or via malicious URL can execute arbitrary code or commands on the vulnerable system.
Upgrades for affected firmware are available now.

The VMware XPDM and WDDM display drivers contain buffer overflow vulnerabilities and the XPDM display driver does not properly check for NULL pointers. Exploitation of these issues may lead to local privilege escalation on View virtual desktops. A Cross-Site scripting (XSS) vulnerability in View Manager Portal may allow a remote attacker to run scripts in the victim's browser. The attacker can trigger this vulnerability by supplying a crafted URL to the victim and convincing them to click on the link.
View 5.0 isn't affected, an upgrade to View 4.6.1 is recommended. If still 4.0 is used, an upgrade is strongly recommended since for this version a patch is not planned.

The pidgin_conv_chat_rename_user function in gtkconv.c in Pidgin
before 2.10.2 allows remote attackers to cause a denial of service
by changing a nickname while in an XMPP chat room.
The msn_oim_report_to_user function in oim.c in the MSN protocol
plugin in libpurple in Pidgin before 2.10.2 allows remote attackers to
cause a denial of service via an OIM message that lacks UTF-8 encoding.
New packets are available.

A remote crash vulnerability in Milliwatt application and a possible
exploitable stack buffer overflow have been identified to Asterisk.
This may allow remote attackers to execute a denial of service (DoS), or execute arbitrary code.
A new patch is available for download.

An integer overflow flaw was found in the implementation of the printf
functions family. This could allow an attacker to bypass FORTIFY_SOURCE
protections and execute arbitrary code using a format string flaw in
an application.
New packets are available for download.

Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security
Appliances and Cisco Catalyst 6500 Series ASA Services Module have been identified.
Cisco has released free software updates that address these
vulnerabilities. Workarounds are available to mitigate some of the vulnerabilities.

Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ASA Services Module (ASASM) in Cisco Catalyst 6500 series devices,
and the Firewall Services Module in Cisco Catalyst 6500 series devices allow remote attackers
to cause a denial of service (DoS) via a crafted IPv4 PIM message, when multicast routing is enabled.
A new update is available.

Adobe ColdFusion 8.0, 8.0.1, 9.0, and 9.0.1 computes hash values for form parameters without restricting the ability
to trigger hash collisions predictably, which allows remote attackers to cause a denial of service by sending many crafted
parameters.
A new update is available.

Two vulnerabilities have been identified in EMC Documentum eRoom, which can
be potentially exploited by malicious users to conduct session replay and
cross-site scripting attacks.
A new update is available.

Potential security vulnerabilities have been identified with HP Data Protector Express (DPX) 5.0 and 6.0. The vulnerabilities could be exploited remotely to create a Denial-of-Service (DoS) or to execute arbitrary code.
HP has provided upgrades to resolve these vulnerabilities.

A weakness in the OpenSSL CMS and PKCS #7 code can be exploited using Bleichenbacher's attack on PKCS #1 v1.5 RSA padding also known as the million message attack (MMA).
Only users of CMS, PKCS #7, or S/MIME decryption operations are affected. A successful attack needs on average 2^20 messages. In practice only automated systems will be affected as humans will not be willing to process this many messages. SSL/TLS applications are *NOT* affected by this problem since this code doesn't use the PKCS#7 or CMS decryption code.
Affected users should upgrade to OpenSSL 1.0.0h or 0.9.8u.

More than 80 vulnerabilities can be corrected now by installing Apple Safari 5.1.4. Exploiting the vulnerabilities might lead to reduced security, Cross-Site Scripting, Denial-of-Service as well as remote code execution and unauthorized access. So this update is recommended.

F-Secure Linux Security 9.10 and 9.11 are not the latest in the product line. In these versions, RedirFS based implementation of real-time (on-access) scanning in Linux Security product will not work on non-root filesystems. Not affected are other scanning mechanisms like manual scanning or commandline-only scanning.
It's strongly recommended to install version 9.12 or the corresponding hotfix.

The vCenter Chargeback Manager (CBM) contains a flaw in its handling of XML API requests.
This vulnerability allows an unauthenticated remote attacker to download files from the CBM server or conduct a Denial-of-Service (DoS) against the server.
Updated software is available now.

Two format string vulnerabilities in DBD::Pg, a Perl DBI driver for the PostgreSQL database server have been found. They can be exploited by a rogue database server. Updated packages are available now.

A potential security vulnerability has been identified with HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows. The vulnerability could be remotely exploited resulting in unauthorized disclosure of information.
HP has made a procedure available to resolve this vulnerability.

An invalid pointer read flaw has been found in the way SystemTap handles malformed debugging information in DWARF format. When SystemTap unprivileged mode is enabled, an unprivileged user in the stapusr group could use this flaw to crash the system or, potentially, read arbitrary kernel memory.
Updated packages are available now.

More than 80 vulnerabilities can be corrected now by installing iOS 5.1 on iPad, iPhone, iPod and other devices. Exploiting the vulnerabilities might lead to reduced security, Cross-Site Scripting, Denial-of-Service as well as remote code execution and unauthorized access. So this update is recommended.

More than 70 vulnerabilities can be corrected now by installing iTunes 10.6. The vulnerabilities might lead to reduced security, Denial-of-Service as well as remote code execution. So this update is recommended.

Several vulnerabilties in Freetype's parsing of BDF, Type1 and TrueType fonts might result in the execution of arbitrary code if a malformed font file is processed.
Updated packages are available now.
Several security vulnerabilities were discovered in MySQL, a database management system. The vulnerabilities are addressed by upgrading MySQL to a new upstream version, 5.1.61, which includes additional changes, such as performance improvements and corrections for data loss defects.

SQLAlchemy is an Object Relational Mapper (ORM) that provides an interface to SQL databases.
It has been discovered that SQLAlchemy doesn't sanitize values for the limit and offset keywords for SQL select statements. If an application using SQLAlchemy accepts values for these keywords and doesn't filter or sanitize them before passing them to SQLAlchemy, it could allow an attacker to perform an SQL injection attack against the application.
The xen packages contain administration tools and the xend service for managing the kernel-xen kernel for virtualization on Red Hat Enterprise Linux.
A heap overflow flaw has been found in the way QEMU emulates the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash QEMU or, possibly, escalate their privileges on the host.
Updated packages address these issues.

All versions of RSA SecurID Software Token Converter contain a buffer overflow vulnerability that could allow a malicious user to cause a Denial-of-Service (DoS) or possibly execute arbitrary code on a system running the Token Converter. RSA strongly recommends that all customers using RSA SecurID Software Token Converter upgrade to version 2.6.1 which can be downloaded now.

Updated kernel packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 6 and for Red Hat Enterprise Linux 5.6 Extended Update Support, respectively.
Since some of the vulnerabilities might lead to remote Denial-of-Service and other problems, updates are recommended.

GIMP is the GNU Image Manipulation Program. Because of several vulnerabilities remote attackers are able to execute arbitrary code on vulnerable systems as well as conduct a Denial-of-Service (DoS).
Two security vulnerabilities related to EXIF processing were discovered in ImageMagick, a suite of programs to manipulate images. Attackers with an existing account might be able to reduce security or to reach a DoS.
Updated packages are available now.

Updates address critical vulnerabilities in Adobe Flash Player 11.1.102.62 and earlier versions for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 11.1.115.6 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.6 and earlier versions for Android 3.x and 2.x. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.
Updates should be installed as soon as possible.

It has been discovered that the XML::Atom Perl module doesn't disable external entities when parsing XML from potentially untrusted sources. This may allow attackers to gain read access to otherwise protected ressources, depending on how the library is used.
PLIB, a library used by TORCS, contains a buffer overflow in error message processing, which could allow remote
attackers to execute arbitrary code.
Updated packages are available now.

IBM Tivoli Provisioning Manager Express for Software Distribution 4.1.1 ActiveX control (Isig.isigCtl.1) is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the RunAndUploadFile() method. By persuading a victim to visit a specially-crafted Web page, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the victim's browser to crash.
It's also vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the GetAttachmentServlet, logon.do, register.do, addAsset.do, SoapServlet, or CallHomeExec servlets or via a specially-crafted EG2 file using various parameters, which could allow the attacker to view, add, modify or delete information in the back-end database.
There is no replacement for IBM Tivoli Provisioning Manager Express for Inventory (5724-N88) and IBM Tivoli Provisioning Manager Express for Software (5724-N89) Distribution. However a follow-on product, IBM Tivoli Endpoint Manager for Lifecycle Management v8.1 (5725-C43), is available.

Several vulnerabilities were discovered in Movable Type, a blogging system.
Exploiting them might lead to command injection, Cross-Site Request Forgery (CSRF) or Cross-Site Scripting (XSS) attacks. It's recommended to install updated packages which are available now.

A buffer overflow vulnerability in the handling of WorkStation files (.ws) by IBM Personal Communications could allow a remote attacker to cause a Denial-of-Service (application crash) or potentially execute arbitrary code on vulnerable installations of IBM Personal Communications.
A fix is available now.

JBoss Enterprise Portal Platform is the open source implementation of the Java EE suite of services and Portal services running atop JBoss Enterprise Application Platform.
It was found that JBoss Web doesn't handle large numbers of parameters and large parameter values efficiently. A remote attacker could make JBoss Web use an excessive amount of CPU time by sending an HTTP request containing a large number of parameters or large parameter values.
This Denial-of-Service (DoS) can be avoided by installing an update for JBoss Enterprise Portal Platform 4.3 CP07.